Privacy Forum 2012 - NZOSS position | New Zealand Open Source Society

On 2 May, I presented the NZOSS' viewpoint on cloud computing privacy issues at the Privacy Forum 2012 (PDF programme) in Wellington - the official name for the day was "Think Big? Privacy in the age of big data". The questions we were asked, and my answers (or at least the notes on which my answers were based) are below.

The other two panelists on the panel discussion (led by InternetNZ CEO Vikram Kumar) were Ben Kepes (Director, Diversity) and Waldo Kuipers (Legal Counsel, Microsoft NZ).

The presentations were videoed, so I expect that they will be made available online sometime soon - I'll update this post to include links. The evening of the 2nd, Radio NZ's Checkpoint had a brief segment featuring Bruce Schneier, also included a brief excerpt from me.

Question One

There are many real privacy risks in relation to cloud services. There also many misconceptions. What do you think is the single greatest risk and the single biggest misconception?

Response One

Modern computing tools and the economies of scale and the economics of abundance that "cloud" technologies afford businesses today, both large and small, hold great allure and promise for many of us. Most of us willingly trade our privacy for the ability to take part in global networks like Facebook, Twitter, and LinkedIn, although I suspect most people spend little time considering the privacy implications of using these networks, and assume a certain benevolence from cloud providers based on a "safety in numbers" herd instinct (which may or may not have some legitimate basis).

Of course we may also use cloud services more indirectly, and less willingly. Compliance-related activities like submitting tax details, immigration details, vehicle registrations and other personal data like insurance and personal medical records, credit ratings, and other personal data might well - now or in future - be held by cloud services.

The real misconception is that some corporate vendors are "trustworthy" - that they won't sell or use our data in ways we don't want them to... Or, if they do sell our details, our your personal information won't be used for nefarious purposes or against us in some way.

Unfortunately, I think it is fair to say that the personal privacy horse has already bolted for anyone using the cloud, having provided legitimate personal details when requested. Those of us who do so entrust our interest to entities who, for the most part, have few if any incentives to respect our interests.

At present, we have no real choice but to either remain anonymous and avoid using the modern computing resources available to us, or to trust that eventually our legal systems will mature sufficiently to provide the average person recourse in the event that their details are misused or personal freedom abused. Unfortunately, in some cases, we cannot function in society (e.g. in the case of some of the compliance requirements above, like paying taxes, registering to vote, etc.) without potentially "using" cloud services because our government has chosen to adopt those services from private sector - which often means overseas owned corporations. The current state of corporate influence on our and other governments around the world and their legislative priorities, however, makes the idea of holding cloud providers to account in any useful way seem very unlikely.

Question Two

Keeping in mind the real privacy risks in relation to cloud services, what steps do you think a person or organisation can take to mitigate the risks?

Response Two

Short of "staying off the grid" or otherwise remaining anonymous, and who knows how much longer that will even be legal or possible, there is no way to completely mitigate privacy risks unless you can actually identify a cloud provider whose incentives are compatible with a trustworthy relationship with their customers.

The only organisations I can see who might offer that set of incentives are user and community driven or cooperative organisations. Of course, a model already exists for these communities and it is thriving on the Internet, and largely because of it: the free and open source software community, and related communities like the open data and creative commons communities.

The "Cloud Computing Code of Practice," produced by the good folks at the NZ Computer Society, is a great effort at defining a set of guiding principles - including a thoughtful privacy policy - which cloud services providers should take on board, but only time will tell how many cloud providers volunteer to adhere to its tenets (and whether any outside of NZ will do so).

Even with trusted digital communities, as with physical communities, privacy is only possible with sufficient vigilance and individuals accepting responsibility for their own well-being. At the very least, it would be prudent for any privacy-conscious individuals and organisations to adopt a policy of strongly encrypting all cloud-based network transactions as well as encrypting cloud-stored data, although this is sometimes unacceptably cumbersome, and may require an unrealistically high level of technical capability from people. Analogous to those on the low side of the digital divide, these people will, sadly, become part of the "exposed" class in the future.

Some Uncomfortable Realities of "The Cloud"

Corporations, the primary providers of large scale cloud services, are legally bound, as their only priority, to maximise shareholder value. They must do so by whatever means possible, and some seem quite happy to compromise ethics as long as the benefits are deemed to out weight the risks. The rate of change in the digital technology world ensures that any legal framework to regulate such players remains hopelessly far behind the status quo.
On a more personal level, consider the exhaustive End User License Agreements on which most people trustingly - or with a sense of learned helplessness - click "I Accept"... When you do so, you are almost certainly signing away any opportunity you might have for recourse against misuse of your personal data. Your only protection is to read and comprehend those terms and conditions and/or find someone who has and whom you feel you can trust.
Whatever you think of Kim Dotcom, the abhorrent treatment of Megaupload, and its customers' data, the willingness of foreign governments, most recently the US working with the aid of our own governments to overreach their jurisdictions and to blur the lines of legality regarding alleged copyright infringement, is chilling, and should be forcing anyone using cloud services to take stock.

Not only has Megaupload's business been destroyed prior to any evidence of wrong doing, but its uninvolved customers have been, in some cases, irreparably damaged due to what appears to be law enforcement hubris and corporate lobbying. This is a dangerous precedent.
Given that most cloud-services companies are US owned corporations, it's relevant to point out the repressive implications of much of the US' "war on terror"-induced legislation, particularly the Patriot Act. It creates a corrosive environment for all sorts of reasons, but, in my opinion, makes the US an unacceptable jurisdiction for information services - the country no longer champions liberty in any practical way.
"Free" (of cost) cloud services, if successful, will eventually run out of start up capital or be purchased by a corporation and will invariably either eventually start forcing you to pay to continue accessing your data, or will do nasty things with your data to "monetise" you. Usually they will do both. Every incentive points that way. In short: if you're not paying for a cloud service's product, you are the product.

In Summary

If you want to use the cloud, but retain any modicum of privacy, then:

find trustworthy non-corporate community-based cloud service providers who are not in the US jurisdictions and, ideally, those who voluntarily adhere to the Cloud Computing Code of Practice
trust, but verify (you can distribute that verification burden across a trusted community)
encrypt all content and transactions
don't agree to any terms and conditions unless you understand their implications

Otherwise, accept that privacy is a quaint anachronism.

Useful Links

New threats to privacy...

Implications of cloud services based in the US (or other repressive regimes):